[sudo-users] retrieving the remain time of a cached credential
Dennis Schwartz
dennis.schwartz at protonmail.com
Thu Sep 26 09:41:04 MDT 2019
On Tuesday, September 17, 2019 6:27 PM, Dennis Schwartz via sudo-users <sudo-users at sudo.ws> wrote:
> I was wondering if it is possible to get the time left before a cached
> credential expires.
Again, thanks for all the replies. I've finally settled with defining my own
zsh function to get an estimate of the last time `sudo` was successfully run:
SUDO_LAST_USED=0
function sudo {
local SUDO_CALLED=$(date +%s)
if env $0 "$@"; then
SUDO_LAST_USED=$SUDO_CALLED
for argv in "$@"; do
if [ "$argv" = "-k" ]; then
SUDO_LAST_USED=0
break
fi
done
fi
}
A similar function can be defined for `sudoedit`.
> The only workaround I have seen, is to prevent sudo from writing to the
> timestamp file by temporarily setting `limit filesize 0`. (Which might
> be considered a security issue since it prevents sending the email as
> well.)
This, that `sudo` can be quite easily prevented of sending security email
is the only thing that still bothers me a bit.
For example, one could define the function
sudo-no-email () {
(
trap "" XFSZ
limit filesize 0
sudo $@
)
}
and run `sudo-no-email touch /root/some-file` and no security email would
ever be sent if the sudo command fails.
Isn't this regarded as a security issue? If not, what's the point of the
security emails?
Thanks again.
Cheers,
Dennis
More information about the sudo-users
mailing list